3 Introduction There s one thing certain about today s business data: it doesn t stay in one place too long. It is transferred. It is shared with partners. It is batched and moved offsite. Data transfer happens in many ways; via networks, data center platforms, and FTP to name a few. Data center managers are constantly asked to do more with less, which means figuring out ways to move data faster and more efficiently without increasing costs. IBM s Sterling Connect:Direct is a commonly used file transfer tool that includes a basic layer of compression and security. Its popularity is due in part to its reputation as a reliable alternative to the typical FTP process. While Connect:Direct provides consistent delivery of data through automated scheduling, checkpoint restart and automatic recovery mechanisms, organizations using it still struggle to meet SLAs and ensure compliance as their data moves beyond the enterprise perimeter. By combining the file transfer strengths of Connect:Direct with the compression and strong encryption capabilities of SecureZIP, organizations can maintain a direct job flow, while providing the most secure and cost effective transportation for files on the move. 3

4 Understanding Connect:Direct IBM Connect:Direct has been in the marketplace since the late 80s and has been referred to as Network Data Mover (NDM), Sterling Connect:Direct and most recently IBM Sterling Connect:Direct. It was originally designed for managing the automated transfer of mainframe files from location to location utilizing SNA and eventually TCP/IP (over dedicated private lines primarily for security purposes). Connect:Direct is available for most major enterprise platforms and is generally used for automated high-performance file transfer, automated error handling and audit trail. A Connect:Direct client is used to communicate with a Connect:Direct server regarding the work that will be performed using one of the following client interfaces: Web browser Graphical user interface (GUI) Command line client (CLI) Connect:Direct can be utilized in a number of ways including: Automated file transfer via scripting and scheduling Automated file transfer via watch directories (directories that are scanned for files, with transfer processing that starts after files are found) On-demand file transfer via proprietary command language Each data transfer involves local and remote Sterling Connect:Direct servers (also referred to as nodes). The two servers work together in a peer-topeer fashion. The server initiating the connection is the primary node (PNODE) for the connection, and the server receiving the connection is the secondary node (SNODE). Connect:Direct offers up basic user authentication and user proxies to provide a degree of security for the basic product. For an additional cost, Connect:Direct Secure Plus allows the customer to select one of three security protocols for use during electronic transmission. These security protocols expose the organization to risk because they don t protect against man-in-the-middle attacks. Getting More Out of Connect:Direct SecureZIP combines ZIP compression and strong encryption to deliver data-centric security that helps organizations protect sensitive data, meet compliance requirements, and reduce overall costs. Adding SecureZIP into the Connect:Direct workflow enables organizations to maintain all the best features of Connect:- Direct (automated file transfer, error handling and auditing) while maximizing efficiency and security for data as it moves. This provides a better way to transfer secure files and utilizes other enhancements you already have in-house. SecureZIP works in a cooperative nature within the Connect:- Direct environment in these three critical categories: Enhanced Security Increased Performance Reduced Cost 4

5 Connect:Direct Connect:Direct Client Client SECUREZIP ENCRYPTS DATA AT THE FILE LEVEL SO THAT IT IS SECURE AS IT MOVES DURING THE TRANSFER PROCESS. ENHANCING SECURITY SecureZIP complements the authentication and user proxy security of Connect:Direct by providing a layer of data-centric security that encrypts data at the file level so that as data moves during the transfer process it is secure. It is important to note that because Connect:Direct does not support hardware crypto through ICSF or provide end-to-end data protection, complementary data-centric security is required to achieve compliance with major government and industry regulations, as well as protect against the risk associated with a data breach. Security Advantages of Using Connect:Direct and SecureZIP Complement existing security investments: Can be used with passphrase, public/private key pairs utilizing X.509 certificates or OpenPGP Keys for encryption/decryption, using either the ZIP or OpenPGP security format. Takes full advantage of System z hardware crypto such as CPACF CryptoExpress cards through ICSF. Digital signing/authentication: Encryption capabilities that utilize hardware crypto through ICSF assure that files have not been altered. Strong encryption: Data is protected with 3DES or AES (128, 192, or 256-bit) encryption algorithms. Maintain control of data: A contingency key provides administrative access to any encrypted data processed within the environment. Hardened policy lock-down: Use SAF to establish strictly enforced security controls. 5

6 IMPROVING FILE TRANSFER TIME Due to the nature of the Connect:Direct process, file bottlenecks can occur. The IBM documentation states that the compression ratios utilized in Connect:Direct may reach up to 50%. SecureZIP compresses files COST by SAVINGS up to 95% percent and can reduce transmission times by 40% or more. More data can be managed in the same amount of time allowing batch processing to complete faster. This compression approach allows organizations to include thousands of files in a single.zip container, eliminating the need for multiple jobs (and multiple opportunities for failure). Performance Advantages of Using Connect:Direct and SecureZIP System integration: Directly write to, and read from, UNIX/Linux and Windows file systems. Application integration: After an application completes processing, it streams the data to SecureZIP for encryption unprotected data is never staged to disk. Exchanges files with other platforms without disruption: Streamlines the EBCDIC/ASCII conversion process. LOWERING YOUR PROCESSING SPEND For many organizations, IT budgets are the same or even less than they were the previous year. At the same time, processing throughput is expected to rise. Companies need to improve efficiency in order to stretch existing budgets. Connect:Direct allows organizations to add automation to the daily movement of files between locations and adds a layer of security in the process. However, since compression and encryption aren t Connect:Direct s core competencies, those functions increase the processing load and cause a negative effect on the entire system (particularly with response time). Cost Saving Advantages of Using Connect:Direct and SecureZIP Reduce file size: ZIP compression allows you to reduce file size up to 95%, saving time and valuable system resources. Support for ziip: Offload processing to IBM z Integrated Information Processors (ziip) to free up general computing capacity and lower overall total cost of computing for select workloads (Connect:Direct does not support ziip for compression). Support for zedc: Direct compression workload to the zedc cards frees up general CP resources. 6

7 SQL SQL Extract + SQL Import = Client ADDING SECUREZIP TO THE CONNECT:DIRECT ENVIRONMENT IMPROVES TRANSFER, REDUCES CPU UTILIZATION AND ENCRYPTS DATA. DECRYPT & DECOMPRESS ENCRYPT & COMPRESS Connect:Direct Use Cases At PKWARE, we ve worked with several organizations that have benefited from adding SecureZIP for z/os to their Connect:Direct environment. These use cases illustrate real-world examples and benefits. USE CASE: ELIMINATING MISSED SLAS A retailer was consistently missing deadlines for SLA reports sent to their partners. They were utilizing a z10-bc W05 with a ziip specialty engine. They had a three-hour SLA to move 100 files, totaling 5GB using Connect:Direct. The costs associated with the ongoing missed SLAs were beginning to pile up. The retailer was spending more than $10,000 each month to cover the contractual penalty for missing these SLAs. To make matters worse, their machines were running at peak capacity during the transfer due to the rigorous nature of the Connect:Direct process. The company added SecureZIP for z/os to their Connect:Direct environment. Because SecureZIP for z/os offloads the compression workload to the existing ziip specialty engine, the company was able to alleviate 90% of the processing load from the general CP. Their elapsed processing times dropped to about 15 minutes, and transfer times dropped to 10 minutes. Both were drastic reductions from the previous three-hour window. 7

8 The retailer was able to effect this change by adding a step to the job stream in fact, only a few lines of JCL were modified without any application programming changes. Their Connect:Direct configuration remained the same. They were able to reap the benefits of a faster, more efficient process which utilized significantly fewer CPU cycles and avoided the $10,000 in monthly missed SLA penalties they were previously paying. USE CASE: CUTTING DOWN TRANSMISSION TIMES A retailer was sending transactional credit card data collected at store locations to their corporate headquarters for processing on an IBM i midrange system. Their backup requirements consisted of daily object mirroring from the production box to the development machine for business continuity via Connect:Direct over a T1 line. They also ran nightly tape backups of sensitive customer data for offsite storage. Processing times for backups were a continuous challenge and as data volume increased, it was becoming more difficult to meet the times required for the processing window. They were utilizing Connect:Direct to handle the file transfer management schedule but they were just not getting the most efficient throughput of the files. Due to a flat networking budget, the retailer couldn t increase bandwidth. They were also required to meet PCI compliance, which is the norm for companies processing financial credit card data. The retailer choose SecureZIP for IBM i as a complementary addition to their Connect:Direct job flow. SecureZIP combined the compression, encryption and SAVF file creation into one step, keeping CPU consumption to a minimum. It also allowed them to connect to their development box over the network instead of through a T1 line, which reduced costs. The IBM i PKWARE Save/Restore Application (ipsra) reduced time requirements and disk space by allowing SecureZIP to compress/encrypt IBM i save files directly to a file in a ZIP archive, essentially skipping the intermediate step. The ipsra assisted with reducing the save data as well as with securing the data for offsite storage. This prevents the dependency on specific hardware technology that may not be available and compatible with the intended recipient or custodian of your information. The ipsra process can execute multiple save operations with one compression run, making it unnecessary to run repeated individual save commands. The retailer has cut its nightly FTP file transmission time in half, reducing it to 5.5 hours, while at the same time utilizing the Connect:Direct scheduling feature to maintain the automated production job stream. 8

9 USE CASE: AUTOMATING HARDENED SECURITY A credit card processing company was handling millions of files each day. A significant amount of those files originated on the mainframe and were then sent to a number of partners using Connect:Direct. The data being exchanged needed to be secure during transport as well as while at rest in their data center. The company s partners used various methods for securing their data. Some used passphrase, some used X.509 certificates and others used OpenPGP. The credit card processing company chose SecureZIP because it allows them to use any of those three security formats as well as administer policy to automatically encrypt files based upon where the data was going. They were able to consistently apply hardened, locked down security to their outbound data at its creation point in their production job streams on a consistent and automatic basis. USE CASE: USING CRYPTO TO ACHIEVE FEDERAL A payments processing company that does work with the U.S. federal government deals with a lot of sensitive information using Connect:Direct. Working with the U.S. government required them to encrypt everything in accordance with the federal standard, FIPS On its own, Connect:Direct is not FIPS compliant. The company had acquired an zec12 with a Crypto Express 4S card configured as a co-processor. They were running in Secure Key Mode and used only AES 256-bit encryption, and because of that, they did all the encryption work with the Crypto Express 4S card. Connect:Direct does not support hardware crypto through ICSF so the company used SecureZIP for z/ OS to take full advantage of System z hardware crypto such as CPACF and CryptoExpress cards through ICSF. By configuring SecureZIP for FIPS mode, the company created a FIPS compliant workload. This drastically reduced the amount of processing required on the more expensive general CPs while achieving FIPS compliance. It also created the smallest data footprint to ever pass through their Connect:Direct node. USE CASE: REDUCING TRANSMISSION FAILURES ON A DISTRIBUTED PLATFORM One of our clients transmitted a large number of files using Connect:Direct on the distributed platform. They were contractually obligated to a very stringent six-hour SLA from midnight to 6 a.m. for distribution of data to a number of their customers. They were continually missing their SLA deadlines because networking issues caused bottlenecks in their production runs from job failures with clients less robust network connections. Jobs would queue up as failures would occur during the transmit phase of their operation, 9

10 which required multiple job restarts to successfully previously 10 GB and taking more than two hours to transmit the data. process were now sent successfully in approximately The company implemented SecureZIP into their Connect:Direct workflow by adding a job step into existing JCL. This allowed them to aggregate numerous files into a single file which was significantly compressed during the job process prior to reaching the transmit stage of the Connect:Direct transfer. Files that were 12 minutes over the very same network infrastructure. The client was able to process the entire job stream in less time than it had taken to transmit a single job. Additionally, the number of transmission failures was drastically reduced due to the reduced number of transmissions that were made. USE CASE: FACILITATING EFFICIENT FILE TRANSFER IN A RAPIDLY GROWING PARTNER NETWORK One of our financial customers processes millions of encrypted files daily. They were constantly in a state of spend and looking for a way of doing more with less. Their problem was two-fold: they were hitting peak processing states numerous times throughout the day and the time required to onboard new clients (with their disparate computing platforms) required weeks or even months, resulting in lost revenue. They were already utilizing Connect:Direct to automate the file transfer process, but because their clients encryption methodologies and hardware platforms varied so greatly, each new client required a unique setup. This presented a dilemma; if they continued to grow their business and bring on additional clients, they would need to significantly increase their mainframe spend or risk additional financial penalties on an already heavily utilized box. They were also incurring the additional personnel costs associated with the client onboarding process. SecureZIP provided the ability to create new processing efficiencies that enabled the company to maintain response times and to create a single, repeatable process regardless of the new client and platform being onboarded. As part of the procurement process for SecureZIP, a benchmark analysis was performed, measuring the transfer time for files of various sizes using SecureZIP versus IBM Encryption Facility for z/os. The analysis revealed exceptional results; when using IBM Encryption Facility, elapsed time was six times longer and CPU utilization was 14 times higher than when using SecureZIP for encryption. By using SecureZIP for z/os, the company was able to avoid a $6.6 million investment in additional processor capacity, which it would have needed to maintain its system utilization and maximize throughput utilizing Connect:Direct. SecureZIP allowed them to utilize OpenPGP, X.509 certificates and passphrases that their new clients contracts required. Additionally, because SecureZIP works on all major hardware computing platforms, the company s business units used a repeatable onboarding process that allowed them to bring new clients up to speed within a matter of days. Resources that were previously tasked with onboarding new clients were redirected to other revenue generating projects. 10

11 Summary As IT budgets continue to shrink and security threats grow, organizations need to constantly evaluate their security and performance strategies. While Connect:Direct provides reliable mainframe transfer capabilities, organizations using it should also consider security, performance and cost. Adding SecureZIP to the Connect:Direct workflow ensures that data is secure at the endpoint and during transfer while at the same time delivering performance improvements that drive down data center costs. SecureZIP s file level methodology maintains the compression and encryption of files throughout the life cycle of the data being processed and moved, all while maintaining the automated nature of the process creating the files in the batch environment. Files created with SecureZIP have the smallest footprint (up to 95% compression) while being encased in an encrypted (up to AES 256-bit) ZIP or OpenPGP container. This creates the most efficient and secure means for file transmission via Connect:Direct while utilizing the least amount of CPU during processing of compression and encryption. CORPORATE HEADQUARTERS 648 N. Plankinton Ave. Suite 220 Milwaukee, WI UK / EMEA Building 3 Chiswick Park Chiswick High Road, London W4 5YA United Kingdom +44 (0) Copyright 2014 PKWARE, Inc. and its licensors. All rights reserved. PKWARE is a registered trademarks of PKWARE, Inc. Trademarks of other companies mentioned in this documentation appear for identification purposes only and are property of their respective companies. 11

Secure your data. Wherever it is, Wherever it goes, However it gets there......on all major platforms. For every user. SecureZIP Product Family SecureZIP products are designed as enterprise-class, data-centric

Secure Database Backups with SecureZIP A pproved procedures for insuring database recovery in the event of a disaster call for backing up the database and storing a copy of the backup offsite. Given the

WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.

WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

SafeNet vs. Native Encryption Executive Summary Given the vital records databases hold, these systems often represent one of the most critical areas of exposure for an enterprise. Consequently, as enterprises

THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has

Beyond: Optimizing Gartner clients using deduplication for backups typically report seven times to 25 times the reductions (7:1 to 25:1) in the size of their data, and sometimes higher than 100:1 for file

Pixius Advantage Outsourcing Managed Services Move forward with endpoint protection by understanding its unique requirements. As the number of information workers rises, so does the growth and importance

White Paper EMC DATA DOMAIN ENCRYPTION A Detailed Review Abstract The proliferation of publicized data loss, coupled with new governance and compliance regulations, is driving the need for customers to

Three significant risks of FTP use and how to overcome them Management, security and automation Contents: 1 Make sure your file transfer infrastructure keeps pace with your business strategy 1 The nature

Service Overview Business Cloud Backup Techgate s Business Cloud Backup service is a secure, fully automated set and forget solution, powered by Attix5, and is ideal for organisations with limited in-house

HOW ENCRYPTION WORKS Technology Overview Strong Encryption BackupEDGE Introduction to BackupEDGE Data Encryption A major feature of BackupEDGE is the ability to protect archives containing critical client

SecureZIP User Guide SecureZIP is an application for zipping files to save storage space as well as encrypting files with password control to protect information. SecureZIP not only works alone to perform

Your Guide to Cost, Security, and Flexibility What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility 10 common questions answered Over the last decade, cloud backup, recovery

REDCENTRIC MANAGED BACKUP SERVICE SERVICE DEFINITION SD003 V2.3 Issue Date 02 July 2014 1) SERVICE OVERVIEW The Managed Backup Service (MBS) is a streamlined alternative to traditional backup and restore

Help maintain business continuity through efficient and effective storage management IBM Tivoli Storage Manager Highlights Increase business continuity by shortening backup and recovery times and maximizing

Appendix C Vendor Questions Anything t Applicable should be marked NA. Vendor Questions COTS Software Set Infrastructure 1. Typically the State of South Dakota prefers to host all systems. In the event

PRODUCT SHEET UPSTREAM for Linux on System z UPSTREAM for Linux on System z UPSTREAM for Linux on System z is designed to provide comprehensive data protection for your Linux on System z environment, leveraging

BANKING SECURITY and COMPLIANCE Cashing In On Banking Security and Compliance With awareness of data breaches at an all-time high, banking institutions are working hard to implement policies and solutions

FUJITSU Backup as a Service Rapid Recovery Appliance The unprecedented growth of business data The role that data plays in today s organization is rapidly increasing in importance. It guides and supports

(SLA) Arcplace Backup Enterprise Service 1. Introduction This Service Level Agreement ( SLA ) forms an integral part of the Agreement between Arcplace and Customer. This SLA describes the Backup Enterprise

Frequently sked uestions (Fs) United Computer Group, Inc. VULT400 System i (S/400) gent Revised September 2013 VULT400 System i (S/400) gent F What are the key benefits of VULT400 ISeries gent when compared

IT Security Newsletter September 2013 Hello In this issue: Something For Everyone! Managed Security Service for IBM i Thank you for reading the latest SRC Secure Solutions newsletter in which we hope to

Metalogix Replicator Quick Start Guide Publication Date: May 14, 2015 Copyright Metalogix International GmbH, 2002-2015. All Rights Reserved. This software is protected by copyright law and international

MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes

SOLUTION BRIEF > > CONNECTIVITY BUSINESS SOLUTIONS FOR INTELLIGENCE FINANCIAL SERVICES ANALYTICS 1 INTRODUCTION It s no secret that the banking and financial services institutions of today are driven by

UniFS A True Global File System Introduction The traditional means to protect file data by making copies, combined with the need to provide access to shared data from multiple locations, has created an

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered Over the last decade, cloud backup, recovery and restore (BURR) options have emerged

Windows Server 2008 R2 Hyper-V Live Migration White Paper Published: August 09 This is a preliminary document and may be changed substantially prior to final commercial release of the software described

Discover how and why file transfer is changing Why you should think of it as more than FTP 1 2013 IBM Corporation Agenda What is Smarter Commerce? What is the role of B2B integration? What is MFT? Problems

ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

When It Needs to Get Done at 2 a.m., That s when you can rely on CA Workload Automation 1 Your Workload Management Has Reached a Tipping Point YOUR ORGANIZATION HAS A SIMPLE DIRECTIVE: Provide the best